DEVELOPING: How One Cybersecurity Expert Worked Out a “Kill Switch” for the Wanna Decryptor Ransomware Virus

May 14, 2017
A U.K.-based cybersecurity analyst known only as MalwareTech figured out a “kill switch” to stop the Wanna Decryptor 2.0 ransomware virus—but could that victory end up being short-lived?

Just a day after the Wanna Decryptor 2.0 ransomware virus erupted across the globe, virtually shutting down the United Kingdom’s National Health Service, and impeding the operations of such diverse organizations as the Spanish national telecommunications service, Renault auto plants in France, and universities in East Asia, The Independent of London has published an article sharing how one cybersecurity expert uncovered a kill switch for the virus. The Independent’s story also provided a link to the expert’s own narrative of his breakthrough.

As the article in The Independent, written by Ian Johnston and published in the early afternoon, eastern time in the U.S., reported, “The U.K.-based analyst, known as MalwareTech on social media and aged just 22 [he has refused to be identified by his given name], has now written a blog about the ‘crazy events’ that began after the malicious program struck on Friday. At one point, there was a suggestion he had actually helped encrypt people’s data and testing this involved deliberately trying to infect his own computer. When he realised he was in the clear, he described ‘jumping around with the excitement of having just been ransomwared.’ He had discovered a website domain name hidden in the ransomware’s code and was able to register it,” the Independent report noted. “WannaCry [another of the several names for Wanna Decryptor 2.0] was designed to contact the website after infecting a computer and, if it received a reply, to shut down. Registering the domain name caused this to happen and appears to have prevented thousands of attacks. But this was not clear when MalwareTech, who was supposed to be on holiday, began to investigate the program, as he described in the blog post entitled, How to Accidentally Stop a Global Cyber Attack.”

As the Independent noted, “The gratitude of the UK authorities was plain, with the National Cyber Security Centre, which is part of intelligence agency GCHQ, reposting the blog on its website. After getting a sample of the software, he began to carry out his analysis and “instantly noticed it queried an unregistered domain, which I promptly registered”. He said this was not done “on a whim” but was fairly standard practice — he has registered several thousand similar domain names in the past year. The domains are then pointed to a sinkhole server which is designed to “capture malicious traffic” and prevent the criminals from controlling infected computers. The data can also be used to inform victims that their computers have been infected and give an idea of how large the attacks are. Registering the domains can also potentially allow analysts to take control of the bot. MalwareTech said he then shared his sample of WannaCry, also known by several similar names, with another analyst.”

As MalwareTech noted in his own narrative of this situation, as he tracked the outbreak of the Wanna Decryptor 2.0 ransomware virus, he found that “While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting out to random IP addresses on port 445 (used by SMB). The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to look back to the recent ShadowBroker leak of NSA exploits containing….an SMB exploit. Obvious I had no evidence yet that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my finding and went to tend to the now propagated domain.”

After going into considerable detail on the steps he took in his work on this, Malware Tech says of the cybercriminals behind this virus, that “I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample. One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

Unfortunately, as an article published early Saturday morning, U.S. eastern time, in The Independent of London, and written by Aatif Sulleyman, reported, speaking of the U.K.’s National Health Service, “Up to 90 per cent of NHS computers still run Windows XP, according to a report published in the BMJ earlier this week. The operating system was released in 2001, and Microsoft cut support for it in 2014. People can continue to use the software, but doing so comes with enormous risks,” the report went on, quoting David Emm, the principal security researcher at Kaspersky, as saying that "Using XP is particularly bad because it’s no longer supported and there’s no way to patch it.”